samba - Feb 2022 - password complexity bypasswd by check password script

Users are created with Windows RSAT tools and custom internal applications
(ldap clients).

Just to be clear, I'm talking about this samba configuration parameter:
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542

Now that I know this, I'll just implement a complexity check in my script
and the problem will be solved for me.

I wrote this email because I'm not sure if this is a bug or feature. Like I
said, it can lead to failure to comply with security policies. If this is
working as expected, I suggest editing the documentation to make it more
obvious.

Thank you!

Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba <
samba at lists.samba.org> a ?crit :
> On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > Hello,
> >
> > I was wondering why my DC allowed users to set weak passwords even if
> > the
> > domain password policy requires "complexity".
> >
> > I'm using a "check password script" that verifies if the
password is
> > leaked
> > in the HIBP database. I found that defining a check password script
> > REPLACE
> > completely the built-in password complexity check.
>
> How are you creating users, using 'samba-tool user add' requires
the
> username and password, so you could feed it the output of your 'check
> password script' and if this password didn't meet the domain
password
> complexity, the user wouldn't be created.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

A patch to say:

When Samba is acting as an AD DC, the "check password script" is run
only on user (not machine) accounts that require complex passwords
under the password policy and replaces the default password quality
rules.  This can be helpful to permit long passphrases instead of 
'complex' short passwords.

  The default rules in the AD DC are that passwords must contain
characters from three of the following five
  categories:

   - Uppercase characters of European languages (A through Z, with
     diacritic marks, Greek and Cyrillic characters)
   - Lowercase characters of European languages (a through z, sharp-s,
     with diacritic marks, Greek and Cyrillic characters)
   - Base 10 digits (0 through 9)
   - Nonalphanumeric characters:
~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
   - Any Unicode character that is categorized as an alphabetic
character
     but is not uppercase or lowercase. This includes Unicode
characters
     from Asian languages.

Would be well accepted.  That text is from the comment in
genrand_util.c.

Andrew Bartlett

On Thu, 2022-02-24 at 16:37 -0500, Francis via samba
wrote:
> Users are created with Windows RSAT tools and custom internal
> applications
> (ldap clients).
> 
> Just to be clear, I'm talking about this samba configuration
> parameter:
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
> 
> Now that I know this, I'll just implement a complexity check in my
> script
> and the problem will be solved for me.
> 
> I wrote this email because I'm not sure if this is a bug or feature.
> Like I
> said, it can lead to failure to comply with security policies. If
> this is
> working as expected, I suggest editing the documentation to make it
> more
> obvious.
> 
> Thank you!
> 
> Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba <
> samba at lists.samba.org> a ?crit :
> 
> > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > Hello,
> > > 
> > > I was wondering why my DC allowed users to set weak passwords
> > > even if
> > > the
> > > domain password policy requires "complexity".
> > > 
> > > I'm using a "check password script" that verifies
if the password
> > > is
> > > leaked
> > > in the HIBP database. I found that defining a check password
> > > script
> > > REPLACE
> > > completely the built-in password complexity check.
> > 
> > How are you creating users, using 'samba-tool user add'
requires
> > the
> > username and password, so you could feed it the output of your
> > 'check
> > password script' and if this password didn't meet the domain
> > password
> > complexity, the user wouldn't be created.
> > 
> > Rowland
> > 
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

On Thu, Feb 24, 2022 at 4:38 PM Francis via samba <samba at
lists.samba.org> wrote:
>
> Users are created with Windows RSAT tools and custom internal applications
> (ldap clients).
>
> Just to be clear, I'm talking about this samba configuration parameter:
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
>
> Now that I know this, I'll just implement a complexity check in my
script
> and the problem will be solved for me.
>
> I wrote this email because I'm not sure if this is a bug or feature.
Like I
> said, it can lead to failure to comply with security policies. If this is
> working as expected, I suggest editing the documentation to make it more
> obvious.
>
> Thank you!
>
> Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba <
> samba at lists.samba.org> a ?crit :
>
> > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > Hello,
> > >
> > > I was wondering why my DC allowed users to set weak passwords
even if
> > > the
> > > domain password policy requires "complexity".
> > >
> > > I'm using a "check password script" that verifies
if the password is
> > > leaked
> > > in the HIBP database. I found that defining a check password
script
> > > REPLACE
> > > completely the built-in password complexity check.
I am also using the "check password script" option in smb.conf to
check passwords against the HIBP database
(https://gitlab.com/JonathonReinhart/passhashdb).

I, too, was completely unaware that using "check password script"
bypasses the built-in password complexity checks.  Andrew, I
understand your rationale, and I agree with Francis that a
documentation update would be very welcome.

Jonathon